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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, 
et ah, 

Plaintiffs, 



R. James NICHOLSON, et al, 



Defendants. 



Civ. No. 1:06-CV-01038(JR) 



PLAINTIFFS' MOTION FOR PARTIAL SUMMARY JUDGMENT 

Plaintiffs hereby move the Court pursuant to Rule 56 of the Federal Rules of Civil 
Procedure and Local Civil Rule 56.1 for summary judgment on the issue of Defendants' 
violations of 5 U.S.C. §§ 552a(e)(10) and 552a(g)(l)(D). 1 A Statement of Material Facts 
as to Which There is No Genuine Issue is attached. The grounds for Plaintiffs' motion 
are set forth in the attached Memorandum of Points and Authorities. 

A proposed order is attached hereto for the Court's consideration. 

Wherefore, Plaintiffs respectfully request that the instant motion be GRANTED. 

Respectfully submitted, 



hi 



L. Gray Geddie (D.C. Bar No. 421357) 
Douglas J. Rosinski (D.C. Bar No. 461275) 
Ogletree, Deakins, Nash, 
Smoak & Stewart, P.C. 
1320 Main St. 
Columbia, SC 29201-3266 
Attorneys for Plaintiffs 

Dated: January 9, 2007 

1 This motion is in addition to Plaintiffs' forthcoming opposition to "Defendants' Motion to Dismiss or, in 
the Alternative, For Summary Judgment," which Plaintiffs will file no later than January 31, 2007. 
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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, 



et ah, 



Plaintiffs, 



R. James NICHOLSON, et al, 



Defendants. 



Civ. No. 1:06-CV-01038(JR) 



STATEMENT OF MATERIAL FACTS AS 
TO WHICH THERE IS NO GENUINE ISSUE 

1 . The Department of Veterans Affairs ("VA") is a federal agency as defined in the 
Privacy Act of 1974, as amended (the "Privacy Act"), 5 U.S.C. § 552a. 

2. On May 3, 2006, the VA "Veterans and Beneficiaries Identification and Records 
Location Subsystem-VA" ("BIRLS"), the VA "Compensation, Pension, Education and 
Rehabilitation Records - VA, System No. 58VA21/22" ("C&P file"), the 2001 National 
Survey of Veterans ("NSV"), the Veterans Health Administration ("VHA") National 
Enrollment Data file, and a Department of Defense file of over 6,700 individuals who had 
been exposed to mustard gas and other substances were each a "system of records" 
containing numerous individual "records" as defined by the Act. 

3. On Wednesday, May 3, 2006, the records of approximately 26 million veterans 
and United States military personnel were stolen from the home of a VA employee 
("John Doe"). Review of Issues Related to the Loss ofVA Information Involving the 
Identity of Millions of Veterans (July 11, 2006) ("VA OIG Rep't") (attached as Ex. A) 
at i, 1 . 
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4. The records stolen from John Doe's home included large record extracts from 
BIRLS and the C&P file, the NSV, a file extracted from both the VHA National 
Enrollment Data file and the C&P file, and a file of records for over 6,700 individuals 
who had been exposed to mustard gas and other substances ("stolen records"). VA OIG 
Rep'tat3, 7-8. 

5. John Doe did not use any sort of encryption or any type of password protection in 
storing the stolen records and failed to physically safeguard the stolen records. VA OIG 
Rep'tat7. 

6. Defendants were aware of inherent risks associated with the removal of data from 
a protected environment that can result in potential disclosure of Privacy Act records 
through loss or theft. VA OIG Rep't at 32. 

7. On May 3, 2006, VA regulations, including 38 C.F.R. § 1.576, required that VA 
safeguard individuals against an invasion of personal privacy and that VA establish and 
maintain adequate safeguards to prevent misuse of such information. VA OIG Rep't at 6. 

8. On May 3, 2006, inherent risks associated with the removal of data from a 
protected environment that could result in potential disclosure of Privacy Act records 
through loss or theft were not addressed in VA policies and procedures. VA OIG Rep't 
at 32. 

9. On May 3, 2006, VA did not have any policy, process or procedure that specified 
how personal information in Privacy Act records under VA's control was to be 
safeguarded when personal information, such as the stolen records, was removed from 
the workplace. VA OIG Rep't at 6-7. 

10. On May 3, 2006, VA did not have any means to identify or prevent the removal of 
the stolen records from the VA workplace and the VA policies and the administrative 
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controls then existing were not adequate to prevent the theft of the stolen records. VA 
OIGRep'tat27, 29. 

11. A link on the VA intranet provided VA employees the questions and answers to 
questions asked during employee information security training and allowed employees to 
print a "Certificate of Training" without accessing the training module or attending live 
training. VA OIG Rep't at 32-33. 

12. On May 3, 2006, the VA employee security training modules specifically 
identified the loss of personal computer equipment or storage media containing personal 
information such as Privacy Act records as potentially resulting in the use of the 
information for "theft and fraud." VA OIG Rep't at 11. 

13. On May 3, 2006, VA employee security training plans stated that private and 
uncontrolled media may present a security risk if left unprotected. Defs.' Mem. at 1 1. 

14. On May 3, 2006, VA did not have any policy or procedure to protect Privacy Act 
records removed from the VA worksite, required employees to obtain authorization 
before removing such records from a VA worksite, prohibited the use of non-VA 
computers to process or store Privacy Act records, or that required safeguards such as 
password protection or encryption when Privacy Act records were stored on portable 
storage media or non-VA computers. VA OIG Rep't at 29, 30, 31. 

15. Although on May 3, 2006, VA Handbook 6300.4, "Procedures for Processing 
Requests for Records Subject to the Privacy Act," issued January 12, 1998, required VA 
to implement procedures to ensure data, including Privacy Act records, were not removed 
from the VA worksite without proper authorization and documentation, no such 
procedures existed. VA OIG Rep't at 30. 

16. On May 3, 2006, there was a "gap" between Privacy Act legal requirements and 
VA policies and processes designed to ensure compliance with this law and VA policies 
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did not provide safeguards for protecting Privacy Act information from loss or theft when 
the information resided outside a VA automated system. VA OIG Rep't at 31-32. 

17. VA Directive 0710 requires background screenings commensurate with the risk 
involved for any positions that require access to VA information systems, including 
Privacy Act systems of records, but John Doe, the VA employee who took home the 
records of approximately 26 million individuals, had never been vetted through the VA's 
background investigation process for suitability to access to those records, although he 
had worked at VA for decades. VA OIG Rep't at 34. 

1 8. VA does not maintain any list of the status of background checks conducted for 
employees in the office in which John Doe worked and the manager delegated the 
authority to determine position sensitivity levels has never re-evaluated the risk factors or 
the sensitivity level designation of any data analyst. Mem. of Interview, Management 
Analyst, VA Office of Policy, Planning, and Preparedness (June 20, 2006) (attached as 
Ex. B). 

19. Investigation following the May 3, 2006, data theft revealed that a number of 
other employees assigned to John Doe's office, some of whom had similar data access 
privileges, also had no suitability determinations. VA OIG Rep't at 35. 

20. In FY 2005, OIG had identified to Defendants instances where background 
investigations and reinvestigations were not initiated in a timely manner or were not 
initiated at all. VA OIG Rep't at 46. 

21. The Secretary is ultimately responsible for ensuring that VA Privacy Act records 
are safeguarded in compliance with applicable statutory and regulatory requirements. 
VA OIG Rep't at 41. 
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22. The Secretary did not correct the deficiencies in Privacy Act safeguards identified 
by the OIG in 2005. 

Respectfully submitted, 

/s/ 



L. Gray Geddie (D.C. Bar No. 421357) 
Douglas J. Rosinski (D.C. Bar No. 461275) 
Ogletree, Deakins, Nash, 
Smoak & Stewart, P.C. 
1320 Main St. 
Columbia, SC 29201-3266 
Attorneys for Plaintiffs 



Dated: January 9, 2007 
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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, 
et ah, 

Plaintiffs, 



R. James NICHOLSON, et al, 



Defendants. 



Civ. No. 1:06-CV-01038(JR) 



MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF 
PLAINTIFFS' MOTION FOR PARTIAL SUMMARY JUDGMENT 

Defendants have conceded all the material facts required to establish their liability 
for violations of the Privacy Act of 1974, as amended ("Privacy Act"). The Privacy Act, 
implementing statutes at 5 U.S.C. § 552a, and Department of Veterans' Affairs ("VA") 
regulations, policies, procedures, and processes establish Defendants' clear duties and 
responsibilities to insure the security of, and to protect against any anticipated threats or 
hazards to, personal information under their control, which could result in substantial 
harm, embarrassment, or inconvenience to any individual on whom VA maintained such 
information. Contrary to these explicit requirements, Defendants' regulations, policies 
and procedures either did not exist, or were not complied with, and, in any event, 
ultimately failed to prevent a single employee from not only hazarding, but actually 
losing control of, approximately 26 million Privacy Act records. This ignorance of, or 
contempt for, the Privacy Act safeguards requirements establishes Defendants' liability to 
Plaintiffs, as a matter of law, for the largest theft of personal information containing 
Social Security numbers in the country's history. 

Indeed, notwithstanding the myriad of other legal and factual issues in dispute, 
there is no genuine issue of fact regarding Defendants' liability for violation of 5 U.S.C. 
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§ 552a(e)(10), as Defendants have publicly admitted the safeguards violations and the 
massive potential harm arising therefrom. The Court, therefore, should not hesitate to 
grant Plaintiffs summary judgment on this issue. The remaining issues of whether 
Defendants' violations were intentional or willful and Plaintiffs' damages can then be 
resolved. 

RELEVANT FACTUAL BACKGROUND 

On Wednesday, May 3, 2006, a burglar or burglars stole a laptop computer and an 
external hard drive from the Maryland home of a Department of Veterans Affairs ("VA") 
employee ("John Doe"). Review of Issues Related to the Loss ofVA Information 
Involving the Identity of Millions of Veterans (July 11, 2006) ("VA OIG Rep't") (attached 
as Exhibit A) at i-ii; "Defendants' Memorandum in Support of Defendants' Motion to 
Dismiss or, in the Alternative, For Summary Judgment" (Nov. 20, 2006) ("Defs.' Mem.") 
at 1. The laptop and hard drive were Mr. Doe's personal property. VA OIG Rep't at i; 
Defs.' Mem. at 1-2. The stolen hard drive contained files of Privacy Act records 
downloaded from VA computers with "personal information pertaining to millions of 
veterans." VA OIG Rep. at ii; Defs.' Mem. at 2. The VA employee had removed the 
downloaded Privacy Act records to his home over a period of years without detection by 
any VA security apparatus. VA OIG Rep't at i-ii; 3, 6-7; Defs.' Mem. at 2, 12-13. The 
Privacy Act records stored at the VA employee's home were not encrypted in any way 
and were not stored in a security container. VA OIG Rep't at 7; Defs.' Mem. at 2. 

The VA Office of Inspector General ("OIG")'s investigation into the 
circumstances of the May 3, 2006, theft explicitly and unequivocally found that 
Defendants' policies, practices and procedures failed to address, much less provide 



1 To protect the privacy of this individual, Plaintiffs do not identify the employee by name, although the 
identity is known to us. 
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adequate safeguards for, personal information contained in Privacy Act records 
downloaded from VA computer systems and removed from the VA worksite. See OIG 
Rep't at 27-42. VA policies did not provide any safeguards for protecting Privacy Act 
records from loss or theft when the information resided outside a VA automated system, 
although this specific vulnerability was used by Defendants as an example of potential 
risk in the employee information security training. The OIG specifically found that there 
was a "gap" between Privacy Act legal requirements and VA policies and processes 
designed to ensure compliance with the Act. Id. at 31-32. 

Moreover, this "gap" existed despite Defendants' knowledge of the "inherent 
risks associated with the removal of the data from a protected environment that can result 
in potential disclosure" of Privacy Act records "through loss or theft." VA OIG Rep't at 
32. These "inherent risks" were simply not "addressed in VA policies and procedures" 
on May 3, 2006. Id. Nowhere in the detailed report did OIG imply, much less assert, 
that "removal of data" from a VA worksite was "unforeseeable" or a "novel" event that 
was somehow beyond the scope of VA's duty of safeguarding veterans' personal 
information. Indeed, such an assertion would be ridiculous because at the time of the 
data theft approximately 40,000 VA employees had remote access to VA Privacy Act 
records from their private computers. Tr. of Sworn Testimony of Pedro Cadenas, Jr., 
Associate Deputy Assistant Secretary for Cyber and Information Security and Acting 
Deputy Chief Information Officer (June 6, 2006) (attached as Ex. C) at 37. Each of 
these employees could, indeed had to, download Privacy Act records and other sensitive 
information to their personal computers to perform work from those computers. The 
absolutely foreseeable result is the same as with John Doe: Privacy Act records stored 
willy-nilly on private computers outside the VA. Yet, Defendants failed to deploy any 

2 Mr. Cadenas has since resigned. 
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safeguards against this huge - and fundamental - threat to the security of the Privacy Act 
records under their control. 

To the contrary, the VA OIG found that the agency had violated its own 
regulations at 38 C.F.R. § 1.576 by failing to implement any policy, process or procedure 
to safeguard personal information, including Privacy Act records, removed from a VA 
workplace. VA OIG Rep't at 6-7. Specifically, VA did not have any policy that 
prohibited employees from removing Privacy Act records from the VA worksite, required 
employees to obtain authorization before removing the records, prohibited the use of non- 
VA computers to process or store Privacy Act records, or required safeguards such as 
password protection or encryption when Privacy Act records were stored on portable 
storage media or non-VA computers. Id. at 29, 30, 31. In addition, VA failed to enforce 
the few policies it did have by permitting a VA employee to repeatedly download and 
remove the personal records of essentially every living veteran and active duty service 
member without raising suspicion because there were no procedures to implement even 
the most basic safeguards against improper and unauthorized file copying. Id. at 30. 
Further, VA completely ignored the requirements of VA Directive 0710 by permitting the 
same VA employee unfettered and unmonitored access to Privacy Act records without a 
background check. 4 Id. at 34. 

In sum, Defendants failed to raise any security barriers or employ any safeguards 
to detect, much less prevent, even the most basic threat to the security or integrity of the 
over 26 million stolen records - an employee simply walking out the front door with 
them in his pocket. It is beyond reasonable dispute that in May 2006 any legitimate 



3 Defendants' failure to at least ask Mr. Doe the reason for his downloading the Privacy Act records is 
especially egregious as the VA data center logged Mr. Doe's system entries. Tr. of Sworn Testimony of 
Unidentified VA Information Security Specialist (June 7, 2006) (attached as Ex. D) at 9. 

4 For the purposes of this motion, it is not necessary to resolve the curiosity of how an individual can be 
"authorized" without satisfying all the requirements to obtain that authorization, as the failure to perform 
the required background check is sufficient to find a violation. 
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attempt to protect Privacy Act records should have addressed at least the possibility of 
such an occurrence. Thus, the only legal basis for Defendants not erecting any 
safeguards against such a possibility would be an analysis that such an event either could 
not occur or, if it occurred, could not have resulted in substantial harm, embarrassment, 
inconvenience, or unfairness to the individuals. There was - and remains - no factual 
basis for such a conclusion. Defendants, therefore, as a matter of law, violated the 
Privacy Act. 

STATUTORY REQUIREMENTS FOR SAFEGUARDING RECORDS 
The Privacy Act gives federal "agencies detailed instructions for managing their 
records." Doe v. Chao, 540 U.S. 614, 618 (2004) (emphasis added). The act defines a 
"record" as "any item, collection, or grouping of information about an individual that is 
maintained by an agency, including, but not limited to . . . his name, or the identifying 
number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 
§ 552a(a)(4). The act further defines "a system of records" as "a group of any records 
under the control of any agency from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying particular 
assigned to the individual." Id. § 552a(a)(5). Congress also provided "various sorts of 
civil relief to individuals aggrieved by failures on the Government's part to comply with 
the requirements." Chao, 540 U.S. at 618. 

Among the many "detailed instructions" in the Privacy Act are a collection of 
specific "Agency Requirements" described in 5 U.S.C. § 552a(e). In particular, the 

Privacy Act requires each federal agency that maintains a system of records to: 

[EJstablish appropriate administrative, technical, and physical safeguards 
to insure the security and confidentiality of records and to protect against 
any anticipated threats or hazards to their security or integrity which could 
result in substantial harm, embarrassment, inconvenience, or unfairness to 
any individual on whom information is maintained. 
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5 U.S.C. § 552a(e)(10) (emphasis added). A plain reading of this language finds no 

requirement for actual harm, actual damages, or actual disclosure of a Privacy Act record 

for a violation. A failure to safeguard records from threats that could result in substantial 

harm, embarrassment, or inconvenience to the adversely affected individual is all that is 

required. Further, there are no caveats, prerequisites, or exceptions to this clear and 

straightforward statutory requirement. 

The "various sorts of civil relief authorized by the Privacy Act are specified in 

5 U.S.C. § 552a(g)(l) "Civil Remedies." This section specifically addresses incorrect 

determinations under section 552a(d)(3), 5 U.S.C. § 552a(g)(l)(A), refusals to comply 

with an individual request under section 552a(d)(l), id. § 552a(g)(l)(B), and failures to 

properly maintain a record which results in an adverse determination. Id. 

§ 552a(g)(l)(C). The final civil remedy provision states that "[wjhenever any agency . . . 

fails to comply with any other provision of this section, or any rule promulgated 

thereunder, in such a way as to have an adverse effect on an individual, the individual 

may bring a civil action against the agency." Id. § 552a(g)(l)(D) (emphasis added). 

Defendants' violations of 5 U.S.C. § 552a(e)(10) are, therefore, subject to civil remedy. 

I. DEFENDANTS VIOLATED THE PRIVACY ACT 
SAFEGUARDS REQUIREMENTS 

A. The Legal Requirements Are Clear 

Defendants failed to safeguard Plaintiffs' personal information as required by the 
Privacy Act in at least three specific ways: (1) the undetected downloading of Privacy 
Act records to John Doe's personal storage media; (2) removal of this massive amount of 
supposedly safeguarded information from the VA work space over a period of several 
years without challenge; and, (3) the actual theft of the unprotected records. Each of 
these three events (or series of events) violated the safeguards requirements of 5 U.S.C. 
§ 552a(e)(10). The final event, the actual theft of millions of Privacy Act records, 
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stripped away whatever veneer of credibility Defendants' safeguards retained at the time. 

Further, each of these types of occurrences were not only foreseen, but used in VA 

employee information security training as examples of unacceptable risk. Defendants 

cannot now simply claim that these same threats and risks were not reasonably 

foreseeable, see, e.g., Defs.' Mem. at 66-68 ("people often fail to foresee disasters of a 

kind that have not yet occurred"), because they did foresee them, they just decided to 

ignore their Privacy Act responsibilities to address the risks. 

Defendants' reticence to perform their duties notwithstanding, safeguarding the 

private information of individuals from agency misfeasance and malfeasance was one of 

the major thrusts of the Privacy Act. As stated in the Act itself, the purpose was "to 

provide certain safeguards for an individual against an invasion of personal privacy by 

requiring Federal agencies" to insure, inter alia, "that adequate safeguards are provided 

to prevent misuse of such information." Pub. L. 93-579, § 2(b). Further, the Senate 

Committee on Government Operations identified that one of the "Five Major Ways" of 

accomplishing the Act's purposes was by 

[e]stablish[ing] certain minimum standards for handling and processing 
personal information maintained in the data banks and systems of the 
executive branch, for preserving the security of the computerized or 
manual system, and for safeguarding the confidentiality of the 
information. 

S. Rep. No. 93-1 183 at 2 (emphasis added). To accomplish "this end," the Privacy Act 

requires every agency to: 

[ijssue appropriate administrative orders, provide personnel sanctions, and 
establish appropriate technical and physical safeguards to insure the 
security of the information system and the confidentiality of the data. 

Id. at 2-3 (emphasis added). The Committee Report language makes it very clear that the 

security of an agency's information systems was viewed as a critical part of the overall 

safeguarding of an individual's information. 
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To remove any doubt regarding the key role played by safeguards and security of 

the information system in the overall legislative scheme to protect information privacy, 

the Committee explicitly directed affirmative and diverse security actions. 

This means, furthermore, that certain computer hardware and software 
used to operate the information systems of government should provide 
features which will promote the necessary security of any part of the 
system and the confidentiality of the information processed and handled 
by means of it. 

Id. at 16 (emphasis added). Congress, therefore, not only directed "safeguarding" and 

"security" of personal information in government in agency computer systems, it 

explicitly identified that, as a minimum, hardware and software "features" were to be 

used by the agencies to ensure adequate protection of Privacy Act records. 

B. Defendants Admit Facts Establishing Violation of the 
Privacy Act Safeguards Requirements 

The dispositive facts of Defendants' failure to comply with the Privacy Act's 

requirements to safeguard and protect personal information entrusted to VA are clear, 

undisputed, and indeed indisputable. One need look no farther than the agency's own 

OIG report to determine that Defendants violated 5 U.S.C. § 552a(e)(10) with regard to 

the Privacy Act records stolen from the VA employee's home. Indeed, the facts as 

established by the VA OIG identify multiple violations of the Privacy Act safeguards 

requirements by Defendants. 5 

1. Defendants admit that they failed to establish appropriate administrative, 

technical, and physical safeguards 

Contrary to the requirements of the Privacy Act, on May 3, 2006, Defendants did 

not have any safeguards against VA employees downloading Privacy Act records onto 



" As harsh as it is, the VA OIG Report omitted many facts relevant to Defendants' Privacy Act violations 
which are contained in sworn testimony of agency employees and officials and the numerous internal 
agency documents obtained in preparation of the report. Even the OIG's sanitized version of the facts, 
however, admit to violations sufficient to establish liability pursuant to 5 U.S.C. § 552a(e)(10). 
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personal storage media and removing the records from the VA workspace. "Each agency 

that maintains a system of records shall . . . establish appropriate administrative, 

technical, and physical safeguards to insure the security and confidentiality of records." 

5 U.S.C. § 552a(e)(10) (emphasis added). Contrary to this explicit requirement, the OIG 

found no policies or procedures existed to prevent the VA employee from taking the 

records of essentially every living veteran home. The "VA's policies and procedures for 

safeguarding information and data" were "not adequate in preventing the loss of the 

[stolen] data." OIG Rep't at 27. Further, there "was no consolidated repository of 

instructions and requirements that employees could research and follow." Id. The OIG 

"review confirmed that there was no consolidated and current set of policies and 

procedures that employees and contractors could access to ensure all applicable 

requirements [were] being met." Id. at 28. To dispel any doubt regarding the lack of 

administrative safeguards, the OIG concluded that: 

VA did not have sufficient policies and procedures in place to prevent this 
recent data loss incident, or any other such incident , that would have 
involved the disclosure of protected information. We did not identify any 
VA policy that prohibited employees or contractors from removing 
protected information from the VA worksite, required employees or 
contract employees to obtain authorization before removing the 
information, prohibited the use of non-VA computers to process or store 
protected information, or that required safeguards such as password 
protection or encryption when protected information was stored on 
portable storage media on non-VA computers. 

VA OIG Rep't at 29 (emphasis added). 

This passage is chilling, not only because the agency's own Inspector General 

unequivocally concluded that Defendants failed to implement any administrative 

safeguards (and thus, violated 5 U.S.C. § 552a(e)(10)), but because it raises the specter 

that similar incidents could have gone, and continue to go, undetected. The OIG report, 

therefore, also highlights precisely why Congress placed so much emphasis in the 
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Privacy Act on safeguards: a failure to properly safeguard records could (as it did here) 
enable millions of undetected disclosures. 

Further, the policies and procedures identified by VA as containing the required 
safeguards did not do so. For example, Defendants identified VA Directive 6502, 
"Privacy Program," to the OIG as relevant to safeguarding the stolen Privacy Act records. 
VA OIG Rep't at 29. According to the OIG, this document stated that "VA will ensure 
that all privacy-protected data maintained by or for, [sic] VA in any medium, is kept 
confidential, except when disclosure is permitted by law." Id. Yet, the "Directive does 
not specify how the information will be protected." Id. The OIG also found that "Jnjone 
of the employees we interviewed was able to identify a policy or other requirement in 
place prior to May 3, 2006, that established specific requirements for safeguarding 
protected information when removed from the worksite." Id. (emphasis added). Thus, 
whether or not Defendants developed safeguards, VA employees could not possibly 
implement requirements of which they were completely unaware. 

VA also offered OIG a document entitled "Security Guidelines for Single User 
Remote Access" dated March 10, 2006, that purportedly had some relevance to the May 
3, 2006, records theft. VA OIG Rep't at 29. OIG, however, found several deficiencies 
which rendered this document defective as an administrative safeguard in this matter: 

(1) the document "was not an approved or published VA Directive, Handbook or policy;" 

(2) the document's "provisions did not provide adequate safeguards for information 
stored on portable media" in any case; and (3) the guidelines "were only applicable to 
employees with remote access to the VA intranet." Id. Thus, these "security guidelines" 
did not address the removal of records from a VA worksite to an employee's home. 



6 In contrast, a failure to correct an error in an individual's record, 5 U.S.C. § 552a(e)(6), only affects that 
single individual. Defendants' safeguards violations affected over 26 million individuals. 



10 
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VA Handbook 6300.4, "Procedures for Processing Requests for Records Subject 
to the Privacy Act" was equally deficient and ineffective in implementing administrative 
safeguards. First, the Handbook was issued on January 12, 1998, more than 8 years 
before the May 3, 2006, records theft, and had never been updated. VA OIG Rep't at 30. 
Second, the document refers only to "the protection of records on 'floppy disks'" not any 
other medium. Id. Next, the requirements applied only to actual requests for Privacy Act 
records submitted to VA. Thus, "[n]ot only is the Handbook outdated with respect to the 
current technology used to store information, employees would not be familiar with the 
cited provision unless they were processing a request for Privacy Act records." Id. As 
the OIG summed it up, this procedure simply "does not prohibit removing protected data 
from the worksite." Id. 

Finally, on May 3, 2006, VA did not even have a requirement mandating the 
fundamental safeguards of password or encryption protection for Privacy Act records. 
OIG "could not identify any VA policy in effect at the time of the incident that required 
[Privacy Act records] stored on portable media be password protected or encrypted, or 
that media devices or hard copy of records be secured by any specific means." VA OIG 
Rep't at 30 (emphasis added). Thus, no safeguard of any type existed on May 3, 2006, 
contrary to the Privacy Act and 5 U.S.C. § 552a(e)(10). 

Nor did VA "training" fill the "gap" left by Defendants' lack of safeguards. 
Indeed, the OIG found that VA's "cyber security and privacy awareness" training 
modules did "not adequately address safeguarding protected information when it is 
removed from VA premises." VA OIG Rep't at 32-33. Further, the entire training 
process is suspect as "a link on the VA intranet provides the questions and answers to 
questions asked during the training and allows employees to print a 'Certificate of 



11 
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Training' without accessing the training module ." Id. at 33 (emphasis added). 
Defendants' assertions that VA training was an effective administrative safeguard, see, 
e.g., Defs.' Mem. at 9-11, therefore, are unfounded, if not disingenuous puffery. 

Defendants' violation of Privacy Act requirements for technical and physical 
safeguards is, if possible, even more blatant. Neither Defendants nor OIG identified any 
evidence of any technical or physical safeguards of any sort, at any time, for any VA 
Privacy Act records. This is despite Congress' specific description of government 
information system "computer hardware and software " design to "provide features which 
will promote the necessary security of" Privacy Act records. S. Rep. No. 93-1 183 at 16 
(emphasis added). Defendants did not implement either type of safeguard despite over 30 
years to do so. 

Defendants' numerous failures to implement any administrative, technical, or 

physical safeguards are, therefore, plain violations of the Privacy Act. 

2. Defendants admit that they failed to require compliance 

with the processes that were established 

Contrary to the requirements of the Privacy Act, on May 3, 2006, Defendants did 

not require VA employees to comply with agency policies or procedures, to the extent 

that they were relevant, existing on May 3, 2006. "Whenever any agency . . . fails to 

comply with any other provision of this [5 U.S.C. § 552a] or any rule promulgated 

thereunder , in such a way as to have an adverse effect on an individual, the individual 

may bring a civil action against the agency." Id. § 552a(g)(l)(D) (emphasis added). 

Defendants, therefore, separately violated the Privacy Act safeguards requirements by 

failing to comply with their own policies, procedures and guidelines. 



7 It is unclear whether Defendants were aware that such a "workaround" was available, although it was 
hosted on their own internal agency network. At best, this is yet another example of Defendants' failure to 
implement any security for the information under their control, and only slightly less damning than a 
revelation that VA officials were aware of the compromised "safeguard" but allowed it to continue. 
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For example, VA Handbook 6300.4, Section 9, requires that the agency 
implement procedures to ensure Privacy Act records "are not removed or used outside 
Government buildings or installations without proper authorization and documentation." 
VA OIG Rep't at 30. Yet, OIG could not identify any such procedures, id., and Plaintiffs 
are not aware of any. Further, OIG could not find a single employee who was aware of 
any such policies or procedures. Id. 

Defendants fair no better when they actually produced an applicable requirement 

as VA failed to enforce, or even monitor, its own policy for the management of the 

personnel suitability and security program. According to the OIG, VA Directive 0710, 

which "establishes policy" for "identification of a position's risk level," "requires 

background screenings commensurate with the risk involved for any positions that 

require access to VA information systems." VA OIG Rep't at 34. 

The Directive requires assessments for all positions that require access to 
VA information systems. The Directive requires assessments for all 
positions by the appropriate [VA official] for the possible risk or harm that 
could result from an incumbent's loss , misuse, or unauthorized access to, 
or modification of, VA information, including the potential for harm or 
embarrassment to an individual who is the subject of the records. 

Id. at 34 (emphasis added). Whatever else may be true, it is utterly indisputable that 

Defendants lost 26 million Privacy Act records, whether it was for some weeks in May 

and June 2006 or a few years since John Doe started removing the records from the VA 

workspace. Thus, this Directive was intended to prevent precisely the situation presented 

by Mr. Doe by requiring a periodic review of an employee's suitability and need for 

access to Privacy Act records. 

Yet, the VA employee who had walked out of his VA worksite with over 26 

million Privacy Act records "had never been vetted through the background investigation 
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process for suitability." Id. (emphasis added). Nor was his situation unique as "a 

number of other employees assigned to [same VA organization], some of whom have 

similar data access privileges, also had no suitability determinations." Id. at 35. Without 

suitability determinations, Defendants undermined essentially their only safeguard - the 

ensured reliability and trustworthiness of the employees granted access to the Privacy Act 

records. 

Shockingly, although it was their only safeguard against the recognized risks of 

inadvertent disclosure, Defendants made no attempt to supervise or even account for their 

employees' suitability for access to Privacy Act records. In a statement curiously not 

cited in the VA OIG Report, the government official delegated the responsibility to 

determine position sensitivity levels stated unequivocally that VA does not maintain any 

list of the status of background checks conducted for employees in the office in which 

John Doe worked. Mem. of Interview, Management Analyst, VA Office of Policy, 

Planning, and Preparedness (June 20, 2006) (attached as Ex. B). In addition, that official 

has never re-evaluated the risk factors or the sensitivity level designation of any data 

analyst. Id. In other words, VA management made no attempt to safeguard the agency's 

Privacy Act records from unsuitable employees or to determine if employees were 

unsuitably using Privacy Act records. Defendants' failure to conduct required 

background checks, is a gross - and inexcusable - violation of the Privacy Act. 

3. Defendants admit that they failed to protect against anticipated threats or 

hazards to the security or integrity of the records 

Defendants were fully aware of the threats posed by unauthorized removal of 

unencrypted Privacy Act records to personal storage devices without appropriate physical 

or password security. Defendants proudly point to three specific "lessons" in the annual 



Defendant Nicholson testified that the employee had not been vetted in over 32 years. Tr. of House 
Veterans' Affairs Committee Hearing on VA Data Security Breach (June 29, 2006) (attached as Ex. E) at 7. 
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"Cyber Security Training" as somehow absolving Defendants from liability in this 
matter. Defs.' Mem. at 10-11. Far to the contrary, however, the nature of this training - 
and the threats to Privacy Act records explicitly identified by VA therein - plainly and 
irrefutably establish that Defendants were well aware of the specific threat posed by 
removal of Privacy Act records from the VA worksite, the vulnerability of the VA's 
Privacy Act records to that threat, and potential safeguards to eliminate or mitigate the 
vulnerability (which they failed to implement). Such knowledge is dispositive of liability 
in the instant matter. 

First, Defendants warned VA employees of the specific type of event that 
occurred on May 3, 2006. Defendants admit that a VA training lesson "states that 'the 
same computers that help us serve veterans' can be ' stolen and vandalized' and thus can 
be used for ' theft and fraud .'" Defs.' Mem. at 11 (emphasis added). The language of this 
admonition is not reasonably construed as other than a specific concern with the specific 
risk of an employee's laptop or desktop computer being taken and the Privacy Act 
records used to harm the individuals whose information was in the stolen records - 
exactly what happened to John Doe. Defendants, therefore, cannot legitimately assert 
that such a theft was "not reasonably foreseeable." To the contrary, the May 3, 2006, 
event was not only foreseen, it was the anticipated outcome of a failure to properly 
safeguard VA's Privacy Act records. 

Next, Defendants were well aware that individual employees could place Privacy 
Act records at risk. While the training was specific to VA, "many of the principles which 
are discussed are also relevant to you, as an individual computer user." Id. at 10. Indeed, 
VA emphasized that it is an individual's "responsibility as a VA employee" to "[pjrevent 
use by, or disclosure to, unauthorized persons" and noted the penalties for violating the 
applicable legal requirements. Id. at 9-10. There is, therefore, no reasonable doubt that 
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Defendants actually knew that individual employees could place Privacy Act records at 

unacceptable risk, but failed to act to reduce that risk. 

Defendants were also fully aware of the risk from failing to implement technical 

safeguards (such as password protection) to secure Privacy Act records. "One of the 

lessons in the course deals with passwords." Defs.' Mem. at 10. 

Stating that '[u]sing the correct username and password combination is the 
primary method in the VA of identifying and managing access to systems 
and computer programs,' the lesson prescribes the content of passwords 
and states: 'Using these rules will provide you with a 'strong' password. 
VA requires strong passwords on all information systems. 

Defs.' Mem. at 10 (emphasis added). Contrary to this training, Defendants did not 

require password protection for Privacy Act records removed from VA systems. See, 

e.g., VA OIG Rep't at 29. Defendants were very well aware of the security provided by 

password protection and, conversely, the risks of not using that safeguard. It is ludicrous 

to assert that the risk to Privacy Act records without password protection was "not 

reasonably foreseeable" when, at the same time, that technology is touted by Defendants 

as the "primary method" to reduce the risk to Privacy Act records. 

Finally, Defendants also plainly knew that the failure to implement any physical 

safeguard placed Privacy Act records at risk. In discussing data written "to a second 

storage medium such as a diskette, zip disk, CD, [or] tape," VA employees were told to 

" be sure to lock away the information in a secure area if it contains sensitive data ." 

Defs.' Mem. at 10-11 (emphasis in original). To emphasize the potential risk from 

failure to comply with this safeguard, "the lesson further notes, rplrivate and uncontrolled 

media . . . may present a security risk if left unprotected.'" Id. at 1 1 (emphasis added). 

Great care is taken to manage and protect data while it is on the VA 
network but all this can be for nothing if the [diskette, zip disk, CD, or 
tape] is unprotected. 
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Id. (emphasis added). There can be little, if any, doubt that Defendants were well 

informed of the potential risks of failing to provide adequate physical safeguards, but 

failed to do so in violation of the Privacy Act. 

4. Defendants admit that failure to adequately safeguard the stolen records 

could result in substantial harm, embarrassment, inconvenience, or 
unfairness to the individuals on whom information is maintained 

There is no reasonable argument that the May 3, 2006, theft of "identifying 

information, including names and dates of birth for up to 26.5 million veterans and some 

of their spouses" could have, did, and may continue to, have a substantial adverse impact 

on the individuals whose personal information was so cavalierly exposed. In sworn 

testimony to the House Veterans' Affairs Committee on May 25, 2006, Secretary 

Nicholson characterized the theft as a " devastating occurrence" he estimated could cost 

the government "way north of $100 million" and "could be" about $500 million. Tr. of 

Sworn Testimony of R. James Nicholson before the House Committee on Veterans' 

Affairs (May 25, 2006) (attached as Ex. F) at 7, 16-17 (emphasis added). Further, VA 

received 105,753 phone calls on its data theft "hotline" in only the first three days after 

the delayed announcement of the occurrence. Id. at 10. This event, therefore, was 

significant to Defendants and the millions of veterans alike. Thus, the Secretary himself 

eviscerated any argument that this event was not an occurrence that "could cause" 

substantial harm to the individuals whose personal information had been put in harm's 

way. 

II. PLAINTIFFS ARE ENTITLED TO SUMMARY JUDGMENT 

The Court should grant Plaintiffs summary judgment on the issue of Defendants' 
liability for violating the Privacy Act safeguards requirements at 5 U.S.C. § 552a(e)(10). 
A court shall render judgment if the pleadings and admissions on file "show that 'there is 
no genuine issue as to any material fact and the moving party is entitled to a judgment as 
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a matter of law.'" Fed. R. Civ. P. 56(c); McCready v. Nicholson, 465 F.3d 1, 7 (D.C. Cir. 
2006); Tao v. Freeh, 27 F.3d 635, 638 (D.C. Cir. 1994). Although "all inferences must 
be viewed in a light most favorable to the non-moving party," "a dispute over a material 
fact is only 'genuine' if the evidence is 'such that a reasonable jury could return a verdict 
for the nonmoving party.'" McCready, 465 F.3d at 7 (quoting George v. Leavitt, 407 
F.3d 405, 410 (D.C. Cir. 2005)). Further, summary judgment "may be rendered on the 
issue of liability alone although there is a genuine issue as to the amount of damages." 
Fed. R. Civ. P. 56(c). 

Plaintiffs are properly before this Court and seek relief for Defendants' Privacy 
Act violations described above. The Complaint properly identifies Defendants and 
plainly placed Defendants on notice of the nature of Plaintiffs' claims. Plaintiffs alleged 
the injury-in-fact and causation requirements of Article III, which are further bolstered by 
the affidavits attached hereto. Nothing more is required for this Court to grant summary 
judgment regarding Defendants' Privacy Act safeguards violations. Thus, this Court can 
and should quickly dispose of this issue and move on to the issues of willfulness and 
damages. 
A. Jurisdiction and Venue Are Proper 

Plaintiffs properly invoked this Court's jurisdiction pursuant to 28 U.S.C. § 133 1 
as this is a civil action arising under the laws of the United States and pursuant to 5 
U.S.C. §§ 552a(g)(l), (5) because this is a civil action to enforce a Privacy Act liability 
created under 5 U.S.C. § 552a after September 27, 1975. Compl. U 7. As a substantial 
part of the events or omissions giving rise to Plaintiffs' claims occurred in this district, 
venue is appropriate in this Court. Id. H 8. 
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B. Plaintiffs Alleged Injury and Causation 

Plaintiffs fully complied with Federal Rule of Civil Procedure 8 ("Rule 8"), which 
requires only that a complaint include "a short and plain statement of the claim showing 
that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2); see also Swierkiewicz v. 
Sorema, 534 U.S. 506, 512 (2002); Sparrow v. United Air Lines, 216 F.3d 1111, 1114 
(D.C. Cir. 2000). Rule 8 is explicit that "[n]o technical forms of pleading or motions are 
required" and that "each averment of a pleading shall be simple, concise and direct." 
Fed. R. Civ. P. 8(e); Sparrow, 216 F.3d at 1 1 14. The "statement must simply 'give the 
defendant fair notice of what the plaintiff's claim is and the grounds upon which it 
rests.'" Swierkiewicz, 534 U.S. at 512 (quoting Conley v. Gibson, 355 U.S. 41, 47 
(1957)). Plaintiffs fairly met this standard. 

Rule 8's "simplified pleading standard applies to all civil actions, with limited 
exceptions." Swierkiewicz, 534 U.S. at 513. This "is the 'accepted rule' in every type of 
case." Warren v. District of Columbia, 353 F.3d 36, 37 (D.C. Cir. 2004) (citing Conley, 
355 U.S. at 45-46). The only exceptions to this rule are averments of fraud or mistake 
pursuant to Federal Rule of Civil Procedure 9. Swierkiewicz, 534 U.S. at 513. A 
"requirement of greater specificity for particular claims is a result that 'must be obtained 
by the process of amending the Federal Rules, and not by judicial interpretation.'" Id. at 
515 (quoting Leatherman v. Tarrant County Narcotics Intelligence & Coordination Unit, 
507 U.S. 163, 168-69 (1993)). Plaintiffs' Complaint plainly satisfies Rule 8's liberal 
pleading requirements. 

Plaintiffs also specifically complained of injury caused by Defendants' violation 
of Privacy Act safeguards requirements at 5 U.S.C. § 552a(e)(10). Immediately after the 
first announcement of the records theft, Defendants stated on the official federal 
government website that the "data loss" 
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[PJotentially affects all veterans who have ever filed a claim for VA 
disability, or who have (or had) a VA insurance policy - no matter when 
the claim was filed or when they were discharged. These veterans would 
be included even if their claim was denied or they are not currently 
receiving benefits. 

http://www.firstgov.gov/veteransinfo.shmtl , "Latest Information on Veterans Affairs 

Data Security," (May 26, 2006) (attached as Ex. G) (emphasis added). The named 

individual Plaintiffs each alleged that they are military veterans. Compl. 1JH 14-17. The 

named Plaintiffs affirm their veteran status, as well as their previous benefits 

application(s) to VA in their attached affidavits. Aff. of Charles L. Clark (Dec. 27, 2006) 

(attached as Ex. H) HH 4, 6; Aff. of David Cline (Dec. 14, 2006) (attached as Ex. I) HH 4, 

7; Aff. of James E. Malone (Dec. 14, 2006) (attached as Ex. J) HH 4, 6; Aff. of John 

Rowan (Dec. 13, 2006) (attached as Ex. K) HH 4, 6. Further, each named Plaintiff also 

received a letter signed by Defendant Nicholson, "asking all veterans to be extra vigilant 

and to carefully monitor bank statements, credit card statements and any statements 

relating to recent financial transactions." Letter from R. James Nicholson (May 2006) 

(attached as Ex. L) (emphasis added) at 2; see Aff. of Charles L. Clark H 7; Aff. of David 

Cline H 8; Aff. of James E. Malone 7; Aff. of John Rowan H 7. Thus, Defendants 

themselves placed the named Plaintiffs within the "zone of interest" of the Privacy Act 

created by the events described herein. Plaintiff organizations alleged that they 

represented numerous other military veterans potentially adversely affected by 

Defendants' illegal actions and inactions. Id. 1JH 9-13. See, e.g., Sierra Club v. 

Mainella, 2006 U.S. Dist. LEXIS 77632 (D.D.C. 2006) ("associations such as plaintiffs 

have standing to sue if at least one of the members satisfies the 'irreducible constitutional 

minimum of standing'"). Thus, all Plaintiffs are properly parties seeking relief pursuant 

to the Privacy Act, Administrative Procedure Act ("APA"), or both. 9 



9 Although all Plaintiffs have standing, for the purposes of this motion, only a single Plaintiff need have 
standing for the Court to grant summary judgment. See, e.g., Campbell v. U.S. Dep't of Agriculture, 515 F. 
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The Complaint is also clear as to the claims made against Defendants, especially 
regarding Defendants' violation of Privacy Act safeguards requirements relevant to this 
motion. Plaintiffs seek relief for "violations of the [APA] and the Privacy Act of 1974." 
Compl. H 1 . More specifically, Plaintiffs alleged that "Defendant Nicholson failed to 
properly . . . ensure Plaintiffs' privacy rights were protected." Id. H 2. Plaintiffs also 
alleged that Defendant VA disregarded "privacy rights by recklessly failing to make even 
the most rudimentary effort to safeguard [the stolen] personally identifiable information 
[which was] unencrypted, easily copied, and, apparently, available to anyone aware of its 
existence." Id. U 4 (emphasis added). This allegation is fairly read to place Defendants 
on notice of the nature of Plaintiffs' claims. 

Moreover, Plaintiffs also alleged additional violations of the substance of 5 

U.S.C. § 552(e)(10). 

VA flagrantly disregarded Plaintiffs' privacy and caused Plaintiffs' 
adverse effects by failing to establish or implement appropriate 
administrative, technical, and physical safeguards to insure the security 
and confidentiality of records and to protect against anticipated threats or 
hazards to the records security or integrity, which could result in 
substantial harm, embarrassment, inconvenience, or unfairness to any 
individual on whom information was maintained. VA's security 
deficiencies allowed, and continue to allow, a single individual to 
compromise through disclosure the entire [VA] system of records. 

Compl. H 37; see also id. U 39 (similar allegation against Defendant Nicholson). In 

addition, Plaintiffs made even more explicit allegations. 

Despite the repeated identification of problems, VA has been unable or 
unwilling to properly secure the personal information under its control. 
These repeated failures to correct known vulnerabilities of VA's 
safeguards for Plaintiffs' private information demonstrated a reckless 
disregard for privacy rights and intentional or willful violations of the 
Privacy Act. 



Supp. 1239, 1246 (D. CD. C. 1981) (effect of decision would be the same "whether one or more than one 
plaintiff is found to have standing"). 
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Compl. H 26. 10 Plaintiffs further alleged that 

The VA employee who reported the laptop computer stolen routinely took 
sensitive private information, including [Plaintiff's personal information], 
home since at least 2003. The employee had not received a security 
background check for approximately 32 years. 

Id. H 27. 

Plaintiffs also made it abundantly clear that Defendants' specified actions and 

inactions were alleged to have caused Plaintiffs' damage. "Each of Defendants' failures 

complained of caused Plaintiffs adverse effects including, but not limited to, 

embarrassment, inconvenience, unfairness, mental distress, emotional trauma, pecuniary 

damages and the threat of current and future substantial harm from identity theft." 

Compl. H 40; see also id. U 59 ("Plaintiffs suffer, and continue to suffer, harm as a result 

of Defendants' actions and from actions improperly withheld or unreasonably delayed"); 

id. H 64 ("each of Defendants' violations of the Privacy Act caused Plaintiffs adverse 

effects"). Plaintiffs alleged both "tangible and intangible damages." Id. U 41. These 

allegations are clear on their face and require no "unwarranted inferences" or improper 

reliance on "conclusory allegations." See Baur v. Veneman, 352 F.3d 625, 637 (2d Cir. 

2003). The Complaint, therefore, satisfies Rule 8 and associated requirements. 

C. There Are No Material Facts As To Which There Is Genuine Issue 

As described in detail above, Defendants have admitted the material facts 
unequivocally establishing numerous violations of the Privacy Act safeguards 
requirements at 5 U.S.C. § 552(e)(10) as documented in the July 2006 VA OIG Report. 
Further, Defendant Secretary Nicholson "agreed with the findings and recommendations" 
contained in the report. VA OIG Rep't at vii; see also Id., Att. A, Letter from R. J. 
Nicholson to G. Opfer (July 6, 2006) at 1. Significantly, Defendant Nicholson did not 



10 Again, Plaintiffs are not seeking summary judgment on the issue of "willfulness" in this motion, only as 
to an underlying Privacy Act violation. 
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challenge a single factual finding in the VA OIG Report and provided a "detailed 
response" to each recommendation therein. Id., Att. A at 1. There is, therefore, no 
legitimate basis for now challenging the same facts in this litigation. See Statement of 
Material Facts as to Which There is No Genuine Issue (attached hereto). 
D. Plaintiffs Are Entitled to Judgment As a Matter of Law 

Defendants have admitted or conceded numerous violations of the Privacy Act 
and 5 U.S.C. § 552a(e)(10) and 5 U.S.C. § 552a(g)(l)(D) unequivocally requires 
judgment for Plaintiffs on the issue of liability for those violations. As described in detail 
above, Defendants ignored or acted in direct contradiction of Privacy Act mandates to 
"establish appropriate administrative, technical, and physical safeguards to insure the 
security and confidentiality of records and to protect against any anticipated threats to 
their security or integrity which could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any individual on whom information is maintained." 5 
U.S.C. § 552a(e)(10) (emphasis added). Thus, this Court can and should award Plaintiffs 
summary judgment on Defendants' Privacy Act violations as a matter of law. 



23 



Case 1:06-cv-01038-JR Document 18 Filed 01/09/2007 Page 30 of 31 



CONCLUSION 

This Court should grant Plaintiffs summary judgment on the issue of Defendants 
violations of the Privacy Act safeguards requirements at 5 U.S.C. § 552a(e)(10) because 
(1) Plaintiffs are properly before the Court; (2) Defendants have admitted material facts 
establishing one or more Privacy Act violations and (3) Plaintiffs are entitled to judgment 
as a matter of law for the admitted violations. 

Respectfully submitted, 

/s/ 



Dated: January 9, 2007 



L. Gray Geddie (D.C. Bar No. 421357) 
Douglas J. Rosinski (D.C. Bar No. 461275) 
Ogletree, Deakins, Nash, 
Smoak & Stewart, P.C. 
1320 Main St. 
Columbia, SC 29201-3266 
Attorneys for Plaintiffs 
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UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF COLUMBIA 



VIETNAM VETERANS OF AMERICA, 
et ah, 

Plaintiffs, 



R. James NICHOLSON, et al, 



Defendants. 



Civ. No. 1:06-CV-01038(JR) 



[Proposed] 
ORDER 

THIS MATTER having come before the Court on Plaintiffs' Motion for Partial 

Summary Judgment, and good cause having been shown, it is hereby 

ORDERED that Plaintiffs' Motion is GRANTED. 



Dated: 



JAMES ROBERTSON 

United States District Judge 
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